Summary

Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch series
of products. Each vulnerability described in this advisory is independent from
other. The vulnerabilities are related to processing Session Initiation
Protocol (SIP) or Media Gateway Control Protocol (MGCP) messages.

Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining vulnerability will not
crash the affected device, but it can lead to a denial-of-service (DoS)
condition in which no new TCP-based connections will be accepted or
created.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.

Affected Products

Vulnerable Products

The Cisco PGW 2200 Softswitch is affected by these vulnerabilities. The
following table displays information about software releases that are affected
by individual vulnerabilities. Each vulnerability in the table affects all
software releases prior to the release that is listed in the table.

Cisco Bug ID

Affects All Software Releases Prior This
Version(s)

CSCsz13590

9.8(1)S5

CSCsl39126

9.7(3)S11

CSCsk32606

9.7(3)S11

CSCsk44115

9.7(3)S11, 9.7(3)P11

CSCsk40030

9.7(3)S10

CSCsk38165

9.7(3)S10

CSCsj98521

9.7(3)S9, 9.7(3)P9

CSCsk04588

9.7(3)S9, 9.7(3)P9

CSCsk13561

9.7(3)S9, 9.7(3)P9

To determine the software version running on a Cisco product, log in to
the device and issue the RTRV-NE command. This command
displays information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by these
vulnerabilities.

Details

SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for handling
all aspects of call setup and termination. Voice and video are the most popular
types of sessions that SIP handles, but the protocol is flexible to accommodate
for other applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security
(TLS; TCP port 5061) as the underlying transport protocol.

MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call agents. A
telephony gateway is a network element that provides conversion between the
audio signals carried on telephone circuits and data packets carried over the
Internet or other packet networks.

Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch SIP
implementation, and one vulnerability is in the MGCP implementation.

The following vulnerabilities can cause affected devices to crash:

CSCsl39126 (registered customers only), CVE ID CVE-2010-0601

CSCsk32606 (registered customers only), CVE ID CVE-2010-0602

CSCsk40030 (registered customers only), CVE ID CVE-2010-0603

CSCsk38165 (registered customers only), CVE ID CVE-2010-0604

CSCsk44115 (registered customers only), CVE ID CVE-2010-1561

CSCsj98521 (registered customers only), CVE ID CVE-2010-1562

CSCsk04588 (registered customers only), CVE ID CVE-2010-1563

CSCsz13590 (registered customers only), CVE ID CVE-2010-1567

The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If exploited, this
vulnerability will also prevent the device from establishing any new HTTP, SSH
or Telnet sessions.

CSCsk13561 (registered customers only), CVE ID CVE-2010-1565

Workarounds

There are no workarounds for the vulnerabilities in this
advisory.

In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to restore
the device's ability to accept new connections. Because vulnerability prevents
new TCP-based session to be created, this reboot can be initiated only from the
console. If a failover device is configured, existing sessions will continue
while the affected device is reloading. Without a failover device, all active
sessions will be terminated while the affected device is reloading.

Fixed Software

When considering software upgrades, also consult
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete upgrade
solution.

In all cases, customers should exercise caution to be
certain the devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported properly by
the new release. If the information is not clear, contact the Cisco Technical
Assistance Center (TAC) or your contracted maintenance provider for assistance.

All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and subsequent,
software releases.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.

These vulnerabilities were discovered during internal
testing.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

URL

Revision History

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.